To:
dnsop@cafax.se
From:
Pekka Savola <pekkas@netcore.fi>
Date:
Mon, 11 Aug 2003 14:01:32 +0300 (EEST)
Sender:
owner-dnsop@cafax.se
Subject:
comments on ipv6-transport-guidelines-00
Hi, A few comments on the new DNS IPv6 transport guidelines document. substantial ----------- ==> first as there are no references to the prior work, or any mention of it, I think it would be both appropriate and useful to add an "Acknowledgements" section which could begin with a paragraph dedicated to summarizing how this document came to be. In order to preserve name space continuity, the following administrative policies are RECOMMENDED: - every recursive DNS server SHOULD be either IPv4-only or dual stack, - every single DNS zone SHOULD be served by at least one IPv4 reachable DNS server. This rules out IPv6-only DNS servers performing full recursion and DNS zones served only by IPv6-only DNS servers. ==> as was noted in my comment in a related subject in v6ops earlier (just rehashing here with a different audience), this is not entirely accurate, especially with all the interpretations of "recursive DNS server". That is, it would be entirely OK to have an IPv6-only resolver point to a few IPv6-only DNS servers which would be configured to recurse from some other servers (ad infinitum) until a dual-stack recursive DNS resolver is found. Some might say that such a dummy DNS resolver is not really recursive but a forwarder but I might disagree.. So, I think we need to both clarify the terminology and decide what exactly we want to recommend or allow. (Note, if someone deploys IPv6-only networks with "first-hop DNS resolvers", being able to deploy IPv6-only recursive servers might be beneficial.) ==> the other thing to clarify might be "dual stack". Again, if one wanted to be entirely accurate, the question is about whether the DNS server software is programmed (and enabled) for the both IP versions while the node is dual-stack. I'm not sure how important this clarification is. In order to enforce the second point, the zone validation process SHOULD ensure that there is at least one IPv4 address record available for the name servers of any child delegations within the zone. ==> what is this "zone validation process"? where is it defined? where is it done (dns regisrars, dns software etc.)? 5. Security considerations Being a critical piece of the Internet infrastructure, the DNS is a potential value target and thus should be protected. Great care should be taken not to weaken the security of DNS while introducing IPv6 operation. The RECOMMENDED guidelines are compatible with the operation of DNSsec and do not introduce any new security issues. ==> add something like below after the first paragraph: Keeping the DNS name space from fragmenting is a critical thing for the availability and the operation of the Internet; this memo addresses this issue by clear and simple operational guidelines. semi-editorial -------------- Abstract This memo provides guidelines and best common practice to operate DNS in a mixed world of IPv4 and IPv6 transport. ==> the abstract should be longer, and include e.g. the summary of those guidelines (if possible). ==> note: is the goal for this Informational or BCP? If Info, reword to remove reference to BCP [sic]. Today there are only a few DNS "zones" on the public Internet that are available over IPv6 transport, and they can mostly be regarded as "experimental". However, as soon as there is a root name server available over IPv6 transport it is reasonable to expect that it will become more common to have zones served by IPv6 servers over time. ==> The " as soon as there is a root name server available over IPv6 transport" is unrelated and irrelevant in this context, for the whole purpose of this document, please remove! (transport!=data; one could add IPv6 glue in root, gtld's or cctld's before those are available over IPv6) The RECOMMENDED approach to maintain name space continuity is to use administrative policies. ==> the curious reader now (before looking down a bit) begins to wonder, "OK, _what_ administrative policies??". Fix: s/policies./policies, as described in the next section./ :-) editorial --------- Internet Engineering Task Force Alain Durand INTERNET-DRAFT SUN Microsystems,inc. June, 17, 2003 Johan Ihren ==> s/Alain/A./, s/Johan/J./ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [2119]. ==> should avoid references in the I-D boilerplate. Abstract This memo provides guidelines and best common practice to operate DNS in a mixed world of IPv4 and IPv6 transport. ==> spell out DNS? ==> s/best common practice/Best Current Practice/ ? ==> "IPv4 and IPv6 _transport_" could be clarified. It's OK for those who're used to the terminology but begs questions like "transport for what? transport over what?" (same in terminology) 2. Introduction to the problem of name space fragmentation: following the referral chain ==> s/problem/Problem/ etc. for section titles etc. The caching resolver that tries to lookup a name starts out at the ==> s/lookup/look up/ If somewhere down the chain of referrals it is referred to a nameserver that is only accessible over a type of transport that is unavailable, a traditional nameserver is unable to finish the task. ==> s/a type of transport that is unavailable/an unavailable type of transport/ When the Internet moves from IPv4 to a mixture of IPv4 and IPv6 it is only a matter of time until this starts to happen and the complete DNS hierarchy starts to fragment into a graph where authoritative nameservers for certain nodes are only accessible over a certain transport. What is feared is that a node using only a particular version of IP, querying information about another node using the same version of IP can not do it because, somewhere in the chain of servers accessed during the resolution process, one or more of them will only be accessible with the other version of IP. ==> This paragraph only includes two (2!) long sentences, especially the latter. It might be a bit more user-friendly broken down to shorter ones.. :-) However, the second situation will not arise in a foreseeable time. Instead, it is expected that the transition will be from IPv4 only to a mixture of IPv4 and IPv6, with DNS data of theoretically three categories depending on whether it is available only over IPv4 transport, only over IPv6 or both. The latter is the best situation, and a major question is how to ensure that it as quickly as possible becomes the norm. [...] ==> the "latter" is a big ambiguous referral, perhaps just say "Having DNS data available on both transports is the best situation, ..." ? 3. Policy based avoidance of name space fragmentation. ==> s/ion./ion/ (similar for section header for section 4) DNSsec and do not introduce any new security issues. ==>s/DNSsec/DNSSEC/ ? 7. References ==> rename to "Normative References". 8. Full Copyright Statement ==> add the standard IPR boilerplate section prior to this one -- Pekka Savola "You each name yourselves king, yet the Netcore Oy kingdom bleeds." Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings #---------------------------------------------------------------------- # To unsubscribe, send a message to <dnsop-request@cafax.se>.